What is the use of @EnableWebSecurity in Spring?

Question

As per the Spring documantation:

Add this annotation to an @Configuration class to have the Spring Security configuration defined in any WebSecurityConfigurer or more likely by extending the WebSecurityConfigurerAdapter base class and overriding individual methods:

Or As this @EnableWebSecurity depicts, is used to enable SpringSecurity in our project.

But my question is that even if I don't annotate any of my class with @EnableWebSecurity still the application prompting for username and password.(default behaviour)

So I am receiving the same behaviour with @EnableWebSecurity and without @EnableWebSecurity.

Can someone please explain what exactly is this annotation for?

Answer 1

The Spring Boot Reference Guide explains well about it. If you search with @EnableWebSecurity:

To switch off the default web application security configuration completely you can add a bean with @EnableWebSecurity (this does not disable the authentication manager configuration or Actuator’s security). To customize it you normally use external properties and beans of type WebSecurityConfigurerAdapter (e.g. to add form-based login).

...

If you add @EnableWebSecurity and also disable Actuator security, you will get the default form-based login for the entire application unless you add a custom WebSecurityConfigurerAdapter.

...

If you define a @Configuration with @EnableWebSecurity anywhere in your application it will switch off the default webapp security settings in Spring Boot (but leave the Actuator’s security enabled). To tweak the defaults try setting properties in security.* (see SecurityProperties for details of available settings) and SECURITY section of Common application properties.

Apparently, it's to switch off the default web application security configuration and add your own.

Answer 2

@EnableWebSecurity is used for spring security java configuration. Add this annotation with @configuration on top of your security java class that extends WebSecurityConfigurerAdapter.

Override the configure(WebSecurity web) & configure(HttpSecurity http). This is the replacement of xml based configurations like <http> and <form login>. This way you can limit requested urls coming from specific urls also enable form based log in.